automated: Update flake.lock

Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].

[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request

flake.lock

@@ -76,11 +76,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1766549013,
+        "lastModified": 1767672212,
-        "narHash": "sha256-GTT+poVhfyQ3JoKIneAT8tZgUEt0KyC6jN6LewIDYLY=",
+        "narHash": "sha256-CGQgo92QKzCnRUF2wjEPsaIoKajVU5EyK1aDaMwo1xg=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "356637020672729e7d406e65cb2e72a633301aba",
+        "rev": "461ec70d76363e9f76588afe59e02fbbc69da80e",
         "type": "gitlab"
       },
       "original": {
@@ -125,11 +125,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1767609335,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
         "type": "github"
       },
       "original": {
@@ -242,11 +242,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766553851,
+        "lastModified": 1767688629,
-        "narHash": "sha256-hHKQhHkXxuPJwLkI8wdu826GLV5AcuW9/HVdc9eBnTU=",
+        "narHash": "sha256-kX1BVq5zoowePHssEjmpc6FNT3vVZNZaCXd7mfvCsxg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7eca7f7081036a7b740090994c9ec543927f89a7",
+        "rev": "bfaba198af72338b8dbda59887859d7a30c6643c",
         "type": "github"
       },
       "original": {
@@ -417,11 +417,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1766568855,
+        "lastModified": 1767185284,
-        "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=",
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
         "type": "github"
       },
       "original": {
@@ -502,11 +502,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1766309749,
+        "lastModified": 1767379071,
-        "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
         "type": "github"
       },
       "original": {
@@ -552,11 +552,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765911976,
+        "lastModified": 1767281941,
-        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
+        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
+        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
         "type": "github"
       },
       "original": {
@@ -596,11 +596,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766544144,
+        "lastModified": 1767667566,
-        "narHash": "sha256-5ppfEyZqX6FMluZHty7Dvw4xN10vLq1yQosp7dGG/28=",
+        "narHash": "sha256-COy+yxZGuhQRVD1r4bWVgeFt1GB+IB1k5WRpDKbLfI8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "5359a4fdc3fa9baa2edcf49758d404dfeeca7743",
+        "rev": "056ce5b125ab32ffe78c7d3e394d9da44733c95e",
         "type": "github"
       },
       "original": {
@@ -616,11 +616,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766289575,
+        "lastModified": 1767499857,
-        "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=",
+        "narHash": "sha256-0zUU/PW09d6oBaR8x8vMHcAhg1MOvo3CwoXgHijzzNE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "9836912e37aef546029e48c8749834735a6b9dad",
+        "rev": "ecc41505948ec2ab0325f14c9862a4329c2b4190",
         "type": "github"
       },
       "original": {
@@ -650,11 +650,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1766440186,
+        "lastModified": 1767652667,
-        "narHash": "sha256-7B/dntEDan+pMB8B/sG6599f3mQaySAJL+c9NhdMP7k=",
+        "narHash": "sha256-zsgfockkvK0JrSvzVAb8JeUq3SDdITu6ViUf7yeIpi4=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "844294a58ef0badb3067c4f2fe063030537eb624",
+        "rev": "a4406d9799d002c41296c72378a1094a8fc9aa1b",
         "type": "github"
       },
       "original": {

systems/artemision/secrets.yaml

@@ -10,7 +10,7 @@ example_booleans:
     - ENC[AES256_GCM,data:6SJ0JKI=,iv:J0qSvWoOcDwSXCKyau+a0YcCGuH5WABHVh6Kdigac20=,tag:WQdNfjcubbzoHnQW4gua8g==,type:bool]
 apps:
     spotify: ENC[AES256_GCM,data:tIABPphA7Vr6VNvJpWTS9kDmidU=,iv:ciQzr8jyIcHYi797NKypPs7FhDgK5ToVZ0eZHHF8UtE=,tag:wUTL/x1p24cXyPUAL1dPfg==,type:str]
-wifi-env: ENC[AES256_GCM,data:2BM4wQq+RfASkg9lcH+fW7eD0VaPJMXABp3z0sYXqZbVzv9R9eAxSokxzcifT/1JK8PBwvZkWtEFrKAT3phXIZzoEySnGKGYazz8fqWWWhMJotLNNo5VkX70hLppgE9vYxf9vQSq0PLWYCN0jUO0H9mHjOT6mDzKUHegcC53jzkNY3WTfLkyzDWJVMP9IbVQ22N5QlJbzZNqrNTaOtcRm06PBz7pNuEKOy4jj5ipZOh6ceR81Xy6BXM7MzFN27lYbzfVvcDmlwqPORAmr7/00QBy2cp38rTswJEzYf1x2Q==,iv:DSTVPw9qtmo02/usZZDpHsYlX3sSW+2XrnawtBkRNmQ=,tag:3p3eW+3BEQrOmHlBNUEOaA==,type:str]
+wifi-env: ENC[AES256_GCM,data:mxPCyunx8yOahcuVhZCzuqAt/G89lMBnZme+qwcxO4LsCftx7h2FotA+wnlj1++vmPW5zL72q2kzxh0KcVlYqK9fpOrMY/FJeJXWYNMZIHesmWKlaaeA1wM/q1dSllwuVuULp9WQzipiQHwcCCLseo3bmCsYpbs8PUibrDgbDqXreTSjJBNTVzwOGpz1bZCSpEynS+dQQViRSNcVeYTOLxrOTxx5lyEOIhgIc3167ObhK+7bJVG2ZcP209Gllip4XkCj/FKnEwg2vVF5Dpofz7T2Op5ef/oNzahhKmCa+k7OPqITWwPYZg7pqAf6jdMy4eBP/A==,iv:Q6IMqePFwd1b1pSuh+TIwcag2bbJXyIYUmJWY6UaaqI=,tag:UZ5ak6nmHkNG0uBMTl1CwQ==,type:str]
 #ENC[AES256_GCM,data:G9ggYJ3YA+E=,iv:nZ5NgeyNKFXFIpquoY68Z2Jz9QROqvf5tv7/s1wSgKk=,tag:QAX555IsAMaWAlz9ywSzjQ==,type:comment]
 sops:
     age:
@@ -23,8 +23,8 @@ sops:
             d09aSXN0ZUh3VC9XeTZ4UWoxVDNVN0UKF1eU/IQJgJ8Fg+MrfqQuEZZ775hvtUJR
             D/ZS4vj+sDLWq6gy2lIBhRSIAHWrz5gHxvOOGmRnpvkqh9TS6XjLIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-15T15:37:51Z"
+    lastmodified: "2026-01-03T19:32:16Z"
-    mac: ENC[AES256_GCM,data:qJ8NdnzVrgQb0rGwjZFHrS+eJrUjQEk4M4uo5bnk4eY7aKaHejARcYOIhp0H/DMdlix+Dm3DAAeeRWn8AKCatXaSzYD/VHHbjfp0lKBCsC8CZFeCELQ5GGEHnVot3WGb4J+QdfupwdduExSSMd6XeZGFVbSGhLzRbiiWA+i8I3o=,iv:oxWiDCH60apKT0/fJbWp1cIZ9cvd6mJKlP3xAjMBXIo=,tag:0We6eCJnsncujCt+CwK9UQ==,type:str]
+    mac: ENC[AES256_GCM,data:q5NppTtZZA9Oo15zI0pAZ/YN2qu0TneDPMJY9rXtWlYfG7Pq5taRyc9MpV7CyEt+qWMkN//O3/sA4jmQTtpT8JuYIEa+/x5cfSZ5w0ErjKdV4/IyDs1LPDKNLXIWlmPMo61VvsKW9DZRBRml9qtR1ypeHBuz0pjECBwAQPEcw9k=,iv:X7wUOxn4BsvqCPmNZvH75hyAzUeD7Qtp+4e4SLpPWlI=,tag:Dp6Bu3zEkRaRPdOwWil13g==,type:str]
     pgp:
         - created_at: "2024-11-28T18:57:09Z"
           enc: |-
@@ -39,4 +39,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

systems/artemision/wifi.nix

@@ -11,7 +11,7 @@ in
   networking.wireless = {
     enable = true;
     secretsFile = config.sops.secrets."wifi-env".path;
-    userControlled.enable = true;
+    userControlled = true;
     networks = {
       "taetaethegae-2.0" = {
         pskRaw = "ext:PASS_taetaethegae_20";
@@ -29,6 +29,7 @@ in
       "Verizon_ZLHQ3H".pskRaw = "ext:PASS_angie";
       "Fios-Qn3RB".pskRaw = "ext:PASS_parkridge";
       "Mojo Dojo Casa House".pskRaw = "ext:PASS_Carly";
+      "bwe_guest".pskRaw = "ext:PASS_BWE_NE";
 
       # Public wifi connections
       # set public_wifi on line 5 to true if connecting to one of these
@@ -45,7 +46,7 @@ in
     defaultSopsFile = ./secrets.yaml;
     secrets = {
       "wifi-env" = {
-        owner = "root";
+        owner = "wpa_supplicant";
         restartUnits = [ "wpa_supplicant.service" ];
       };
     };

systems/palatine-hill/docker/arr.nix

@@ -11,7 +11,7 @@ let
       ctype = lib.strings.toUpper container_type;
     in
     {
-      "${ctype}__POSTGRES__HOST" = "host.docker.internal";
+      "${ctype}__POSTGRES__HOST" = "/var/run/postgresql";
       "${ctype}__POSTGRES__PORT" = toString config.services.postgresql.settings.port;
     };
 in
@@ -54,7 +54,7 @@ in
         PUID = "600";
         PGID = "100";
         TZ = "America/New_York";
-        POSTGRES_HOST = "host.docker.internal";
+        POSTGRES_HOST = "/var/run/postgresql";
         POSTGRES_PORT = toString config.services.postgresql.settings.port;
       };
       environmentFiles = [
@@ -63,10 +63,10 @@ in
       volumes = [
         "${vars.primary_docker}/bazarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
         "--network=arrnet"
-        "--add-host=host.docker.internal:host-gateway"
       ];
       autoStart = true;
     };
@@ -86,10 +86,12 @@ in
       ];
       extraOptions = [
         "--network=arrnet"
-
-        "--add-host=host.docker.internal:host-gateway"
       ];
-      volumes = [ "${vars.primary_docker}/prowlarr:/config" ];
+      volumes = [
+        "${vars.primary_docker}/prowlarr:/config"
+
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
       autoStart = true;
     };
     radarr = {
@@ -109,10 +111,10 @@ in
       volumes = [
         "${vars.primary_docker}/radarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
         "--network=arrnet"
-        "--add-host=host.docker.internal:host-gateway"
       ];
       autoStart = true;
     };
@@ -133,10 +135,10 @@ in
       volumes = [
         "${vars.primary_docker}/sonarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
         "--network=arrnet"
-        "--add-host=host.docker.internal:host-gateway"
       ];
       autoStart = true;
     };
@@ -157,11 +159,10 @@ in
       volumes = [
         "${vars.primary_docker}/lidarr:/config"
         "${vars.primary_plex_storage}/data:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [
         "--network=arrnet"
-        "--add-host=host.docker.internal:host-gateway"
-
       ];
       autoStart = true;
     };
@@ -176,6 +177,7 @@ in
       volumes = [
         "${vars.primary_docker}/unpackerr:/config"
         "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];
       autoStart = true;
@@ -193,6 +195,7 @@ in
       volumes = [
         "${vars.primary_docker}/notifiarr:/config"
         "${vars.primary_plex_storage}:/data"
+        "/var/run/postgresql:/var/run/postgresql"
       ];
       extraOptions = [ "--network=arrnet" ];
       autoStart = true;
@@ -206,18 +209,20 @@ in
         PGID = "100";
         TZ = "America/New_York";
         DB_TYPE = "postgres";
-        DB_HOST = "host.docker.internal";
+        DB_HOST = "/var/run/postgresql";
         DB_PORT = toString config.services.postgresql.settings.port;
       };
       environmentFiles = [
         config.sops.secrets."docker/jellyseerr".path
       ];
-      volumes = [ "${vars.primary_docker}/overseerr:/config" ];
+      volumes = [
+        "${vars.primary_docker}/overseerr:/config"
+        "/var/run/postgresql:/var/run/postgresql"
+      ];
       # TODO: remove ports later since this is going through web
       extraOptions = [
         "--network=arrnet"
         "--network=haproxy-net"
-        "--add-host=host.docker.internal:host-gateway"
         # "--health-cmd \"wget --no-verbose --tries 1 --spider http://localhost:5055/api/v1/status || exit 1\""
         # "--health-start-period 20s"
         # "--health-timeout 3s"
@@ -235,13 +240,34 @@ in
 
   sops = {
     secrets = {
-      "docker/notifiarr".owner = "docker-service";
+      "docker/notifiarr" = {
-      "docker/bazarr".owner = "docker-service";
+        owner = "docker-service";
-      "docker/prowlarr".owner = "docker-service";
+        restartUnits = [ "docker-notifiarr.service" ];
-      "docker/radarr".owner = "docker-service";
+      };
-      "docker/sonarr".owner = "docker-service";
+      "docker/bazarr" = {
-      "docker/lidarr".owner = "docker-service";
+        owner = "docker-service";
-      "docker/jellyseerr".owner = "docker-service";
+        restartUnits = [ "docker-bazarr.service" ];
+      };
+      "docker/prowlarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-prowlarr.service" ];
+      };
+      "docker/radarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-radarr.service" ];
+      };
+      "docker/sonarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-sonarr.service" ];
+      };
+      "docker/lidarr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-lidarr.service" ];
+      };
+      "docker/jellyseerr" = {
+        owner = "docker-service";
+        restartUnits = [ "docker-jellyseerr.service" ];
+      };
     };
   };
 }

systems/palatine-hill/firewall.nix

@@ -1,7 +1,19 @@
 { ... }:
 
 {
-  networking.firewall.allowedTCPPorts = [
+  networking.firewall = {
+
+    extraCommands = "
+      iptables -I nixos-fw 1 -i br+ -j ACCEPT
+    ";
+
+    extraStopCommands = "
+      iptables -D nixos-fw -i br+ -j ACCEPT
+    ";
+
+    trustedInterfaces = [ "br+" ];
+
+    allowedTCPPorts = [
       # qbit
       8081
       8082
@@ -33,9 +45,7 @@
       8686
       8787
       5055
-
-    # temp postgres
-    5432
     ];
 
+  };
 }

systems/palatine-hill/postgresql.nix

@@ -29,6 +29,12 @@ in
            # Let other names login as themselves
            superuser_map      /^(.*)$   \1
       '';
+      authentication = ''
+        local  bazarr  bazarr  scram-sha-256
+        local  /.*arr-main  /.*arr  scram-sha-256
+        local  /.*arr-log  /.*arr  scram-sha-256
+        local  jellyseerr  jellyseerr  scram-sha-256
+      '';
 
       # initialScript = config.sops.secrets."postgres/init".path;
       ensureDatabases = [

systems/palatine-hill/samba.nix

@@ -12,7 +12,7 @@
         #"use sendfile" = "yes";
         #"max protocol" = "smb2";
         # note: localhost is the ipv6 localhost ::1
-        "hosts allow" = "192.168.76. 127.0.0.1 localhost";
+        "hosts allow" = "192.168.76. 127.0.0.1 localhost 192.168.191.";
         "hosts deny" = "0.0.0.0/0";
         "guest account" = "nobody";
         "map to guest" = "bad user";

systems/palatine-hill/secrets.yaml

@@ -27,11 +27,11 @@ docker:
     protonvpn-start-script: ENC[AES256_GCM,data:ZnlDpCLdILHXSUCI6itWkqO4y75Lwjj7qT1DBkfueLneQOaQ0JhuE2FbOOajkmI046nP9fMrJbu3g4QZHsq1g8yqGU1wb0OOT+eS9+M92Md29B4NnUdwnVAO6/RzvRKXP2tsQ4iprx9An+BEFwZYD6WG6DQc6NjJVSgRcYvfH9rQey2VdwLysNsgFCs8eC6QgikqBpeg4eOIvDDNbdXPKkW+ZPph9xpzGkcFIMwlX5esg0n7qyUoMvWwBn4avC46U5erOw0fNajY60ri9sm5Afht6LZrFal71Hx/K9/5EXBp9dD4teLO2Ew0CQX0i94pKCuR207l9868s7Ao3udLp4wbiLnXoRKq+w==,iv:qR0kNYpb50NXEqSksvHBPAaRG51RKCsSwTq32nosxzo=,tag:+xRQyuWi4Ja/N9lcd11oJA==,type:str]
     notifiarr: ENC[AES256_GCM,data:XxVEhp4Rei6mRcdSSooRnofuVNZDalVhDYiVUmvQUr8QihrVRMKRE9Kpl5PGWUBw,iv:urMLaUf3XUjMks2vk0E7iRUU3mLHBiMAiwtQgmWQq20=,tag:dHdTOyC/ukd71UlYEI5fWw==,type:str]
     bazarr: ENC[AES256_GCM,data:x+JdRCl3x3OM3lWmgcWikJSEnh5c5He5HmuLzCGAQ8zUXMi2Z3Kf6LzL+aoqtCBu3rabYZmQSLBoDm9CPkk=,iv:7e+3w46RUD2/OSlwrEe7BRxUqPPdt5+obIjQA8pr3xY=,tag:rHSijp/tcf/SGp5y4kJ0cw==,type:str]
-    prowlarr: ENC[AES256_GCM,data:AyOaj1nYCxeycBgp5sfNKz3A158FuXVg0DCoLrOE9YnUIAjo+5PW9HMdpCEiK0OfgoMPcUZNZowLYYY0goxwC+4+tB87TnBz2YpXTX8L7YO2JA+g7hA=,iv:IaZxKl5ypdIQ4f4SAHQtaUC20lbYL1b7mptu/FVB6k4=,tag:A9eQI9gG7wkSEPt6Mdg3Zw==,type:str]
+    prowlarr: ENC[AES256_GCM,data:hr3hYwRw0+/UD8anqZQjGy7rPkV2pad4Xi5FdXSf3Ftd1/jwlYfMqhqgEngFX30LLMWvJvjeu1TkTNzSEwI6ZCPdefNVYYwWavtm+XcBVxffGvFZ,iv:EXW48288IcCeGs/vP4tkAI4dxQAOh92Na43q/9cyuSc=,tag:pnYR26MDd82DjeUPdwCoUw==,type:str]
-    radarr: ENC[AES256_GCM,data:vqjqRsDjFm30yMrzWsWC6prYSEUQ+4v0hlDqJ6FS39hNFaGtGAsulUWv9MAJ11xI9CLsjjQUtpQ5KlRkYlHo5FnzeXCpK05ewkhYyqa7NKE=,iv:sKdxA5AtxpFpuiUYpz3NW2Fjc+ZKFmiJqibdQ3P6pVg=,tag:tDlJpApk4g6SYFzyn8Z/HA==,type:str]
+    radarr: ENC[AES256_GCM,data:qCfoeEHb0ng5GhaY3QZiFvLVb25ZHNmgT0bRqEjBcelyP2819zCL7LxUPr08FxivEYZiAMFVleRozL8NMg6O5fh+2BatcYOfyh99zxIC,iv:HV3gTTnrjtab7x4Be+7hSe+nrD6BnPAmZBsHzi9Fujg=,tag:O6x0FDlasuJSRrGL/9SwpQ==,type:str]
-    sonarr: ENC[AES256_GCM,data:IooG9LDXpdbQcknriSdowPwNv++yfj54mko49rtm4B8IVEV30B5o8iZhGXmSgpLsH9QtP/PmkuczjiiwlPI2QM5iRxpjUz2456a1hi61/uY=,iv:/PagjmFtJgkYKFPmZD5qI8DzdiuUIX8m0lapdZBXUus=,tag:Ppew0fepqgnhvTorwalhEw==,type:str]
+    sonarr: ENC[AES256_GCM,data:X/hM31ZyHybvy2eQzVnmq8CH1AqBgz1pxq7tKC4lZB3ryAbnEIJksffem8+35tWt/0r5cEH4aaIKD1kS7Q+Ma+8JrRLcWkt6CZq/wspz,iv:44FfdVpQCposXshzNe5DXAxExeQzjVKhkZaVbgKo8KU=,tag:WIWWUt1XBngUTwwqhCrcNw==,type:str]
-    lidarr: ENC[AES256_GCM,data:9YtVafa4/SQ78+DJ52emGyLHCWpJpnhc+2DwGBQ0uhFiee7ZRFy+O0kHPPyNly8sgP9UOZt+53D4sAv9S8hOCnJTAbHiNnzTbjQmZtnvgnc=,iv:dlF5wtcphEhg5jxb8YSIF9/2Vj1KY10Vza/OGK1jXRM=,tag:8qmdQjRv30VqRReOzr6UEA==,type:str]
+    lidarr: ENC[AES256_GCM,data:xERBECneutNUMZRrHukp8CaNrpI7SXUB16zUkauNP2+wto3eIc/K+2nMCkbwSC9AKlSjnUGSiORmAWn/jofTAuEzQljkCR1XCSkJRMmL,iv:iKf4fZtCfdjT/KuMFK5VFoLAV+Lll8uJowe9Q4cHyYw=,tag:xzmATTkrYRYm9Mw23zEO5g==,type:str]
-    jellyseerr: ENC[AES256_GCM,data:eKZo7Yw6j0qeyHidHu3R+2yZrHOMlM/O2VTY0CF/AUzm21LNO5UDItORoBCJfPvpnbA=,iv:jVJ77jXNwCEPRWKgKP8E7SrxdS0RFa486nq6cMkqvMc=,tag:Bndao3nx18nmJ1yaXLmWIg==,type:str]
+    jellyseerr: ENC[AES256_GCM,data:7dDfHFp8+WbJqrf7Ms/gmfroBePwegXh5CXn5FcOz8IEK7rTvr9KZfz9x/1BwdD8,iv:ZPi3OcMfH76A08piKY4P7hFbeMyouwBoeN5oL3ExzKU=,tag:oOZ37dy/y+DFqNRfAHexvQ==,type:str]
 acme:
     bunny: ENC[AES256_GCM,data:P2yROVUga9mORcq8VR/l0i4/2Vod1zvlYq+ZJLLNKow0SpblkwQX/i1ucQYAOkTTRddN+3C+t0zj1rMWkdLoaLjEUJJi3VsSxi+chV2FFiVKFQGEcg24,iv:aQvGgGLsgRGoEmwTgZHR8Jm/MYxmGtVTT/fZKaTLeMs=,tag:m3ssF4O8qs4yxvMu6yUcjw==,type:str]
     dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
@@ -50,8 +50,8 @@ sops:
             cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
             LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-24T03:17:22Z"
+    lastmodified: "2025-12-25T17:45:31Z"
-    mac: ENC[AES256_GCM,data:TreH0Z2S91ZyMreMSv0AIFJs1lrOCqTrsKHY2MrU0O+wdJlCdn4ggVGlS9L+oGpZ8fXoUcLdMvc0M3wCFZauM86SVMW+BDiPp93P6JLX8mDlLJPE1tfsw6ueaeKZJIhlbnlLSWHjNBrkybuT11HxXAjJIHav1Jf0S42lIMhq1Tc=,iv:ajcZxYvsMGmauj37MIJjWvzqlLAeqBiPbuqof2suTPU=,tag:7vQ4LnoHTrdUxnmhRgUANA==,type:str]
+    mac: ENC[AES256_GCM,data:lVRqQWnO1RvmoW13/xCpP2SvibccRWwmr1Gyj6EgrE+V+Iu1bfnZRkTkHiFIQqQLQgCy2qBiSHeZF/dNERe83eEwpXgRQAduarpE/qL8K1mxcwf5HMMYACjlNfsL/I1/TCJrJ7DZBxI4neRLetc5OpScVXqHj1neOodD/g8n+ls=,iv:+gZpo0I2NVYz24o42mUW/OkfONqNSjgaJeKeFdKx7dg=,tag:EJnpiotQuBKth21mdhvjZQ==,type:str]
     pgp:
         - created_at: "2024-11-28T18:56:39Z"
           enc: |-

users/alice/home/zsh.nix

@@ -1,9 +1,10 @@
-{ lib, ... }:
+{ lib, config, ... }:
 {
 
   programs.zsh = {
 
     enable = true;
+    dotDir = "${config.xdg.configHome}/zsh";
     oh-my-zsh = {
       enable = true;
       plugins = [

users/default.nix

@@ -22,6 +22,7 @@
     (lib.mkIf config.programs.wireshark.enable "wireshark")
     (lib.mkIf config.virtualisation.docker.enable "docker")
     (lib.mkIf (with config.services.locate; (enable && package == pkgs.plocate)) "plocate")
+    (lib.mkIf config.networking.wireless.enable "wpa_supplicant")
     "libvirtd"
     "dialout"
     "plugdev"